Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

extract fields in log4j files

arjangoos
Path Finder
‎10-19-2012 05:54 AM

Hi,

I want to make a timechart of the different errors in my application. To do this I need a fieldextractions.

the log4j format is like this:
10-19@09:25:45 ERROR rss.AbstractPostcodeBasedFeedPanel - Failed to load feeds from: [http://10.9.1.192/Cms.Backend/wscmsrssservice.asmx/GetBekendmakingenByPostcode?pPostcode=3071AS]
nl.rotterdam.ioo.mijnloket.homepage.util.rss.UnableToCreateSyndFeedListException: java.net.SocketTimeoutException: Read timed out

So I want the time (10-19@09:25:45) | type of message (ERROR) | the text between ERROR and - | and the text between : and : | and the text between : and :

How can I do that. The field extraction for time and type of messages is simple but can you help me with the other extractions

Kind regards

Tags (1)
0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-19-2012 06:31 AM

Splunk will automatically recognize the standard output for log4j. Can you use the default format? From our docs:

log4j   Log4j standard output produced by any J2EE server using log4j   2005-03-07 16:44:03,110 53223013 [PoolThread-0] INFO [STDOUT] got some property...

With a non-standard format you could use the Interactive Field Extractor capabilities to easily extract fields and create the regex for you automatically

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

I would recommend taking a look at this as well for future use of log4j and Splunk: https://github.com/damiendallimore/SplunkJavaLogging

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-22-2012 04:00 AM

Is ERROR and the '-' always going to be in the log?

0 Karma
Reply

arjangoos
Path Finder
‎10-22-2012 02:15 AM

At this time it is not possible to change the log4j format. So I think I need to use the interactive Field Extrator. But I am not able to get the result I want.

ERROR rss.AbstractPostcodeBasedFeedPanel -

What is the regex to get the text between ERROR and -.

Kind regards,

Arjan

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...